Tencent security team found a way to eavesdrop through an Amazon Echo
Alexa hasn’t always been the best listener. Devices running on Amazon’s voice assistant are known to have confused background noise as user commands, prompting them to laugh inappropriately -- and in one case, send a recorded private conversation to a random contact.
To be clear, Alexa wasn’t spying on anyone in those instances. But it hasn’t stopped people from wondering if it’s possible for hackers to break in and eavesdrop through these devices.
At the DefCon security conference in Las Vegas over the weekend, a team of security researchers from Tencent demonstrated a way to remotely control an Amazon Echo, directing it to quietly record and transmit audio to an attacker.
The Tencent Blade Team exploited software on the smart speakers that allows devices to communicate with each other. By rewriting the firmware on the flash chip, an Echo can be used to hack into other Echoes -- but only if the devices share the same Wi-Fi network.
That means it might be harder to use this hack to target average home users, whose Echoes are likely connected to a password-protected Wi-Fi network. At the same time, as Wired points out, this could leave Echoes in schools, hotels and other places with shared passwords at higher risk.
If you own an Echo, don’t worry. Amazon said it already rolled out patches in July after it was alerted to the problem by the Tencent researchers. Amazon also told Abacus that the hack would have required a malicious actor to have physical access to a device and the ability to modify the device hardware. It said users don’t need to take any action because their devices have been automatically updated with security fixes.
This isn’t the first security vulnerability discovered by the Tencent Blade Team. Earlier this year it also found bugs in Xiaomi’s AI speaker -- one of the most popular in China. Xiaomi said in June it had fixed the loopholes.